Magic Lantern Firmware Wiki

General Notes[]

This is a small page of information for new developers trying to assemble a FIR file to run initial code on a camera. I will compile from a few sources to (hopefully) make one easy to read page. This is just for older cameras that didn't use encryption, I do not understand encryption at all but if someone wants to add that be my guest :). => See Fir_Security and Firmware_file.

- Coutts


Here are notes from a PM from englemarkus. He is explaining how to use the perl script assemble_fw. This is referencing the 1000d and 400d:

1. If there's an AUTOEXEC.BIN on the sd card, the firmware will load it to RAM and try to boot it.
2. For booting from an AUTOEXEC.BIN, you have to use FAT16 as a file system and you have to use "EOS_DEVELOP" as a label.
3. You have an address space from 0x00000000 - 0xFFFFFFFF... The original firmware is mapped to 0xFF800000 and is 8 MB in size (= 0x800000). 0xFF800000 + 0x800000 = 0xFFFFFFFF.
4. Fir files are always loaded to 0x800000.

Structure of a fir file:
1. Flash Header (0x120 Bytes)
2. Flasher
3. Data Header
4. Data

The flasher starts at 0x800120 after the fir file is loaded, as the header is 288 bytes in size. So "$offset" has to be 0x120!

And an email from chuchin regarding getting started with the 1000d:

Hi Andrew, first you will need to decrypt the update flasher use the dissect_fw3_2 tool. In the command line type:
  x:\1000d dissect_fw3_2.exe e6kr5107.fir
It should give you 4 files. You only need the header and the flasher which I have included. With perl use the command line and type:
x:\1000d perl assemble_fw
It should give you a .fir file. Replace my autoexec.bin file - it is not for the 1000d.

Useful Tools[]

There are a few tools that are quite useful for developers working with FIR files. Each name links to its download location.


A windows program that splits the firmware up into the different parts explained earlier so that you can pack your own autoexec.bin to replace the payload in the original firmware update. You will get 3 files, the header, the flasher and the payload. Use these with assemble_fw as explained next.


A perl script that takes your autoexec.bin and combines it with the header and flasher from the updater fir, to create your new fir. The checksum is also corrected before the final .fir file is spit out. You will need to edit the offset setting depending on what camera you are working on. This is what englemarks was referring to earlier about an offset of 0x120 (this is for 1000d).[]

A python script used for analyzing FIR files. It gives a lot of useful information in an easy to read format; each offset and the information there. It can also extract the payload from a .FIR file and decrypt it (some, i think. Not sure about AES encrypted cameras). Here is a sample output, from a 1000d v1.0.7 update:

coutt1aj:downloads coutt1aj$ python e6kr5107.fir
Fir_tool 0.5 (20Mar2010)

fileLen = 0x715cfc
---.fir header---
0x000: modelId = 0x80000254, (1000D / Rebel XS, VxWorks)
0x010: version = 1.0.7
0x020: checksum = 0xc7902bcd
0x024: updater1 header = 0xb0
0x028: updater1 offset = 0x120
0x02c: updater2 offset = 0xffffffff
0x030: firmware offset = 0x1a0190
0x034: 0xffffffff
0x038: embedded file size = 0x715cfc
0x03c: 0x0
0x040: sha1 seed = 0xd54a6484
0x044: 0x00000004 0x00000000 0x00000020 0x00000024 0x00000044 0x000000b0 0x001a00e0
0x060: 0x1a0190
0x064: firmware length = 0x575b6c
0x068: updater1 hmac-sha1 = 9d131fc81c605427a4bb4490f04669efbc510e11
0x088: firmware hmac-sha1 = 6f31a5573fec1b159290228aadbeec4d71ce5c2b
---updater1 header---
0x0b0: updater1 length = 0x1a0070. starts at 0x120
0x0b4: 0x1a0070
0x0b8: 0x0
0x0bc: xor seed value = 0x933629ce
0x120: --- updater1 (ciphered) ---
---firmware header---
0x1a0190: (+0x000), offset to decryption data = 0xc
0x1a0194: (+0x004), offset to encrypted data = 0x7c. starts at 0x1a0190
0x1a0198: (+0x008), total firmware length (including header) = 0x575b6c. starts at 0x1a0190
0x1a019c: (+0x00c), firmware length (encrypted part) = 0x575af0. starts at 0x1a020c
0x1a01a0: (+0x010), 0x00575aea
0x1a01a4: (+0x014), 0x0
0x1a01a8: (+0x018), 0xba510112
0x1a01ac: (+0x01c), 7c5bb4cfd6c106db1246f70e541961c1
0x1a01bc: (+0x02c), e3ea4f2f40551f7fcb1413f2288f50237c920d289a46e6cc6c3c013faee45faf
0x1a01dc: (+0x04c), da5bd5dbcdecd8c318d17d763a11149b
0x1a01ec: (+0x05c), 0de3c8cabf01ced75a08583ffefd4f8fee9f22c44167d15840f269e96d556cd0
---firmware (encrypted)---
0x1a020c: (+0x07c)
==Useful links / readings==

A list of commands:

coutt1aj:downloads coutt1aj$ python -h
Usage: [options] filename

  -h, --help      show this help message and exit
  -z, --zeros     print fields usually filled with zeros
  -c, --checksum  verify checksum(s)
  -x, --extract   extract updater(s) code
  -v, --verbose   verbose mode
==Where do I start??==

First you must analyze a Canon update to extract a firmware dump from that (well, a partial one, at least enough to look through).

Then create a small project to run, something simple like dump the firmware so that you can view a bin file. After you have a firmware dump, you can find functions like the EnableBootDisk function which sets the bootflag (camera will load autoexec.bin files on bootable sd cards without needing to run FIR files anymore), dumpf to view the debug message log, and LED addresses.

I have hosted in a repository on my bitbucket a very simple project Indy has sent me from his testings on a 450d. He was able to get a firmware dump, dump the debug log and flash the LED. This is a very good starting point for development on VxWorks cameras. Link here.

Other Information[]

These are links to other wiki pages that are good to read. Many thanks to those devs who have taken the time to take notes for us :)

  • on the 7d. Indy explains fir_tool with samples from the 7d updater: here
  • Explanation of FIR file header and what is at each offset (more links to other resources): here
  • 40d development - early stages working with .fir files: here


So that's pretty much all you'll need to start. That is ofcourse if you are working on something older :P for these newer cameras, I will leave it to Indy to edit if he wishes as this is his area of expertise ;)